sslwso2ssl-certificatewso2-esbwso2-micro-integrator

WSO2 IntegrationStudio 8.2.0 Disable Verification

Thanks to @ycr (:-)) I made some steps forward, but I still got SSL errors when trying to reach an endpoint requiring SSL on client side (i.e. p12 certificate or .crt/.key equivalent). I followed this as suggested by ycr. Now, when I call the endpoint from Postman through wso mi, (the embedded instance in Integration Studio) it throws: "Host name verification failed for host", exception referred to: org.apache.synapse.transport.http.conn.ClientSSLSetupHandler.verify(ClientSSLSetupHandler.java:182).

Now, as I said in my previous post, I can successfully connect with the endpoint (https://37.186.199.242:6443/web-app) by Python script:

cert = path\cert.crt
key = path\cert.key
headers = {'Content-type': 'application/json', 'Accept': 'application/json, text/plain, */*'}
data = json.dumps(None)
response = requests.post("https://37.186.199.242:6443/web-app", data=data, headers=headers, cert=(cert,key), verify=False)

which gives me the same response as querying the URL by chrome with installed cert.p12 certificate.

but, when I try the requests.post with verify=True, I got the following python exception:

requests.exceptions.SSLError: HTTPSConnectionPool(host='37.186.199.242', port=6443): Max retries exceeded with url: /web-app (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)')))

which sounds pretty much the same as the SSLException thrown by ClientSSLSetupHandler. Thus, I reckon, should I replicate in wso mi the same behaviour, by disabling host verification? Looking at java ClientSSLSetupHandler.java Class source code, this is achieved by setting HostnameVerifier = AllowAll.

as for inline code:
/** * The ALLOW_ALL HostnameVerifier essentially turns hostname verification * off. This implementation is a no-op, and never throws the SSLException. */ promising! But how to set that?

I got through several post. Best guess i could find is here, suggesting to include in axis2.xml the following.

<transportSender name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLSender">
   <!--...-->
   <!--supports Strict|AllowAll|DefaultAndLocalhost or the default if none specified -->
   <parameter name="HostnameVerifier">AllowAll</parameter>
   <!--supports Strict|AllowAll|DefaultAndLocalhost or the default if none specified -->
</transportSender>
  1. Not sure I should adjust the transportSender class attribute to target class="org.apache.synapse.transport.http.conn.ClientSSLSetupHandler" or eventually some other superclass or abstract classes.
  2. It seems axis2.xml is rewrote by the MI engine anytime I start it up. Thus, there must be another way! Any suggestion? Thanks in advance

p.s. as I'm getting really hot on wso, but it is a rather complicated world, is there a document which I can study explaining (for dummies like me:-) how each piece is connected? I mean: carbon, synapse, axis2, wso application manager, wso micro integrator and its dashboard, esb...

Solution

  • Disabling Hostname verification is not a good practice. Ideally, you should be creating proper certificates with a proper domain name and use the domain name to access the service rather than the IP. If you want to disable hostname verification try adding the following to deployment.toml

    [transport.http]
sender.hostname_verifier = "AllowAll"

    Update

    Since you have a public IP I just checked your cert and it doesn't look correct.

    enter image description here

    Your CN should be something like *.dflight.com, then you should use this hostname to access the service(e.g: https://staging.dflight.com). If you haven't purchased this domain, you can add this to your hosts file and access it.

    Take a look at the following cert used by WSO2.

    enter image description here

    This answer will also help you I believe.